[feature] Provide a method to delete/reset an existing session

[segevfiner]

Is your feature request related to a problem? Please describe. To avoid session fixation attacks, when implementing login or similar operations that modify the user context of a session, you need to wipe any existing session and switch to a new session ID, gorilla/sessions doesn't provide an easy way to do so.

This applies to server-side stores that use session IDs and can invalidate sessions server-side, client side cookie stores already just change the cookie, so trying to fixate a session with them is moot, but they are vulnerable to someone stealing the cookie as always.

An attack like that will involve an attacker somehow managing to set his own cookie so that the next time a user logs in, it reuses his session ID, also logging in the attacker.

See https://guides.rubyonrails.org/security.html#session-fixation-countermeasures

Describe the solution you'd like Provide a method to wipe an existing session, so it can be replaced with a new one. This means that the old session is no longer valid, even if a cookie with the same session ID is somehow passed along back to the app after being deleted, and the new session will use a new session ID.

Also note that when deleting a cookie with MaxAge: -1 (Max-Age: 0), the value can probably be set to empty.

Describe alternatives you've considered Working around this somehow. Trying to use New and Save to delete a session, and then New/Get a new session, will cause the cookie to be emitted twice with the CookieStore, the second New/Get will also still return the old session is it doesn't touch the http.Request cookie.

Note that it's not enough to just wipe Values it will use the same session ID with the FilesystemStore or other server-side stores, leading to a session fixation vulnerability.

[stale[bot]]

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.